Currently when I telnet to the router, I get prompted for a password, but no username. The password is the enable secret password. I get connected to the router but in exec mode. I can then enter the enable password and I get to the enable prompt.

What I want is to get prompted by the router for username/password and once authenticated, be set to the enable prompt.

The information contained in this email and any additional attachments
is confidential and may be legally privileged. If you are not the
intended recipient then you must not use, disseminate, distribute or
copy any information contained in this email or any attachments. If you
receive this email in error, please destroy it immediately and contact
us . Thank you.

"The lines in the preceding sample configuration are defined as follows:
•The aaa new-model command enables the AAA security services.
•The aaa authentication command defines the default method list. Incoming ASCII logins on all interfaces (by default) will use TACACS+ for authentication. If no TACACS+ server responds, then the network access server will use the information contained in the local username database for authentication.

I have a few debugs running
(AAA Authentication / AAA Authorization / TACACS)

When I go to login I see, from the TACACS debug (among other things):
GET_USER, then I see, GET_PASSWORD. then I see 'Received authen response status PASS', but right after that I see a 'AAA/AUTHOR' debug that says 'Method list id=0 not configured Skip author' message.

I would think that the 'service = shell {
priv-lvl = 15' line would get me the enable prompt.

Ok... I think it's the combination of 2 things: your router config and your tac_plus.conf file. I'm not clear on how to use priv-lvl in the config, so maybe that works, but i dont know. This will at least get you working, you can tinker from there.

This will use tacacs first on all connections (vty, con, aux). If tacacs is unavailable, it will authorize against the enable password.

Above is the config that i'm running, and here's how it works:
When i log into the router, it prompts for a username (amay). Then i use 'admin' for the password. That drops me to exec. Then if I 'en' i get prompted for a password and i use 'adminenable' and i get to the enable prompt.

Ok... I think it's the combination of 2 things: your router config and your tac_plus.conf file. I'm not clear on how to use priv-lvl in the config, so maybe that works, but i dont know. This will at least get you working, you can tinker from there.

This will use tacacs first on all connections (vty, con, aux). If tacacs is unavailable, it will authorize against the enable password.

Above is the config that i'm running, and here's how it works:
When i log into the router, it prompts for a username (amay). Then i use 'admin' for the password. That drops me to exec. Then if I 'en' i get prompted for a password and i use 'adminenable' and i get to the enable prompt.

OK...I finally got it...and of course, it was a simple change.
I had to change:
service = shell
to
service = exec
Oh..and one other thing (rookie mistake) The 'group' section should come before the 'user' section.
----------------------
My tac_plus.conf file:
----------------------
key = newtac

tacacs-server host 10.11.12.13 single-connection
tacacs-server timeout 8
tacacs-server key newtac
----------------------
My end result is when I telnet into a NAS, I get prompted for my username, and then password, if both are correct, I get dropped to the enable prompt.
I did not have to add any other commands or changes to my console port, aux port or vty lines to make this work.

My first posting on a forum! I wanted to add value to this thread after many evenings of unsuccessful attempts at getting TACACS to work. Although Mazz already has his working I wanted to append this for those that might have an issue similar to mine.

After perusing a Cisco AAA Troubleshooting guide I determined that the reason I was not communicating with my TACACS server was because the firewall was turned on and port 49 had not been added to the allowed list.

Keep this in mind if you are not getting replies from your TACACS server in your log when you have debug on.